GoldenEye
GoldenEye is a ransomware that runs on Microsoft Windows, with disk encryption capabilities, mixed with file encryption capabilities. It is a combination of Petya and Mischa, with both encryption methods. Payloads Transmission GoldenEye is distributed using spam email messages. The email delivers a fake job offer with text in German and two files attached. One is a fake CV document, the other, a malicious Microsoft Excel worksheet, with malicious macros, that will download the Goldeneye executable from the network and will execute it on the machine. Infection If the Excel file is opened, a pop-up requesting the user to "''enable macros"'' appears. If these macro commands are enabled, the Excel file will generate an executable file and launch the ransomware. Goldeneye, then, will adjust itself for wanted token privileges (by AdjustTokenPrivileges, and for the SeDebugPrivilege, the SeShutdownPrivilege and the SeTcbPrivilege), and then will ask for UAC privileges. If Goldeneye gets these privileges, it will deploy the Mischa payload and the Petya disk payload; if it doesn't gets wanted privileges, it will try to bypass it (if it's set to "Medium" or "Low" setting), and if the malware did not reach it's objective, it will deploy only the Mischa payload, and it will encrypt every file on the machine, present on every disk. Everything is done by the Goldeneye DLL, core.dll'', the payloads are encrypted and stored in the section of the file .xxxx, like original Petya. The bypass is done by two DLLs of the malware, elevate_x86.dll and elevate_x64.dll. The first one will be executed if the system is 32-bit, otherwise the second one will be executed. Goldeneye (in the Mischa payload) encrypts files with a mixed AES-256 and RSA-2048 algorithm, and only then attempts to modify the MBR and deploy it's payload, thereby preventing victims from stopping the encryption process. ADVAPI32.DLL functions will be used, especially CryptGenRandom (for key generation), CryptAcquireContext (for encryption) and CryptEncrypt. The encryption will be done with identical routines to Mischa, taken from it. These extensions will be encrypted, also by Mischa ransomware: .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt Following successful encryption, Goldeneye creates a text file ("YOUR_FILES_ARE_ENCRYPTED.txt") containing an ransomware note message and places it in every folder that was encrypted (for example, Desktop, My Documents, etc.). Furthermore, Goldeneye appends eight random characters to the name of each encrypted file (for example, "sample.jpg" might be renamed to "sample.jpg.g8k3jmol"). The ransom-demand message informs victims of the encryption and demands a ransom payment of 1.31034193 BitCoin (approximately $1000) for decryption. To submit payment, victims must follow instructions provided on GoldenEye's Tor website (the link is provided within the ransom-demand message). A undecryptable algorithm is used. Then, Goldeneye will create a randomly named folder with a random CLSID in the APPDATA folder of the current user, and it will create a randomly named EXE file, with random properties taken from files in the SYSTEM folder, and with no icon, that will deploy the Petya payload. It will be run, and it will ask for UAC privileges. If it gets wanted privileges, it will inject the Petya MBR payload in the disk, with different master keys and different message, also different color; it will be deployed in the same way as ''Petya deploys it, with same sector positions, except one (the Petya kernel will begin at the second sector, after the MBR), and same encryption algorithm (Salsa20). The ransom note Goldeneye drops in the case of successful encryption will contain the following text: You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "hxxps://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: hxxp://golden5a4eqranh7.onion/oTmqRcKj hxxp://goldeny4vs3nyoht.onion/oTmqRcKj 3. Enter your personal decryption code there: oTmqRcKj6ZvwAsqewqzYz9t8smYzWLaAzsvjQ5YX8JY53FKv5nAHc7W9L4VFnwSGd8Dw4rVi2nfk The Fake CHKDSK message will be identical to this one: Repairing file system on C: The type of the file system in NTFS One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete. WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN! CHKDSK is repairing sector - of - The message that Goldeneye ransom demand that will be shown, if the MBR payload is deployed: You became a victim of the GOLDENEYE RANSOMWARE! The hard disks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at “hxxps://www.torproject.org/“. If you need help, please google for “access onion page”. 2. Visit one of the following pages with the Tor Browser: hxxp://goldenhjnqvc2lld.onion/ hxxp://golden2uqpiqcs6j.onion/ 3. Enter your personal decryption code there: - If you already purchased your key, please enter it below. Media Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Assembly